Category: DNSSEC

HBO NOW DNSSEC Misconfiguration Makes Site Unavailable From Comcast Networks (Fixed Now)

Wow! Talking about insanely bad timing…  yesterday at Apple’s big event, HBO announced “HBO NOW”, a new streaming service available for only $15/month that will give you access to all HBO’s content.  This was great news for those people who want to “cut the cord” and not have to pay for a cable TV subscription to get content such as this from HBO. All you had to do was go to order.hbonow.com to get started.

One slight problem – the folks at HBO had signed the hbonow.com domain with DNSSEC, but had not done so correctly!

As a result, the many networks around the world that perform DNSSEC validation to ensure that customers are getting to the correct sites (versus being redirected to bogus sites for phishing or malware) were blocking customers from getting to the possibly bogus order.hbonow.com!

In the text below, I will:

  • Explain what appears to have happened with HBO’s misconfiguration of the hbonow.com domain.
  • Provide two examples confirming what seems to have happened.
  • Speculate on why this occurred.
  • Offer some suggestions on what we need to do next.

Comcast (and Google’s Public DNS) Blocks HBOnow.com

One of those networks here in the USA performing DNSSEC validation was, of course, Comcast (and they have been doing so since January 2012), who is both the largest Internet Service Provider (ISP) in North America and also the largest cable TV provider.  They also own NBCUniversal and create their own video content. So of course the immediate reaction was for people to take to Twitter and blame Comcast:

But here’s the thing:

Comcast was CORRECT in blocking HBO’s site!

Because:

  1. The .COM top-level domain (TLD) had a DS record indicating that the hbonow.com site was signed with DNSSEC.
  2. The hbonow.com domain did NOT have the corresponding DNSKEY record.
  3. Comcast’s DNSSEC-validating DNS resolvers identified the problem and blocked access to the site on the assumption that this could have been an attacker attempting to redirect people to an unsigned and potentially bogus website.

DNSSEC worked correctly to prevent people from going to a bogus site.

Unfortunately, the DNS records were “bogus” not because of an attacker but rather because of a misconfiguration on HBO’s end.

This is not the first time Comcast has dealt with a site with misconfigured DNS records.  If you remember back to 2012 there was the issue with NASA.GOV, which turned out to be a problem with the changing of DNSSEC keys.  Comcast and NASA provided a detailed explanation of what happened then.  (And in another case of spectacularly bad timing, the outage occurred on the day of the SOPA/PIPA website protests, leading then to charges on Twitter that Comcast was deliberately blocking sites.)

UPDATE: I’ve had people tell me they also couldn’t get to the HBO NOW site on networks that use Google’s Public DNS Servers as their DNS resolvers – which makes sense because Google has been performing full DNSSEC validation on sites since May 2013.  (I just did not see anyone tweeting about this…)

HBO’s “Solution”

HBO has seemed to “fix” this issue by, unfortunately, simply removing DNSSEC records and returning the domain to a completely unsigned / unprotected state.   Once the incorrect DNS records age out of DNS resolver caches (based on their Time-To-Live (TTL)), or if the DNS resolver caches are flushed of the current records, then the domain will resolve correctly and people will be able to get to the site.

I’ll speculate on what happened in a moment… but here is some confirmation of what occurred.

Confirmation Using DNSViz

Last night on Twitter, Jason Livingood, VP of Internet Services for Comcast (and also, in full disclosure, a member of the Internet Society Board of Trustees as well as a long-time participant in IETF standards activities), tweeted out a DNSViz analysis of the order.hbonow.com domain (click/tap image for larger version):

DNSViz status of order.hbonow.comIt shows in there that there is a DS record for “hbonow.com” that points to a DNSKEY record with the id 51249.  However, that DNSKEY record does not exist in the actual DNS records for “hbonow.com”.

This is why the failure occurred.

When I look at DNSViz right now for the domain, the picture is different:

DNSViz of order.hbonow.comThere is no DS record for hbonow.com and so there is no DNSSEC failure.

Confirmation Using Dig

On my own home office network, I (of course!) use a DNSSEC-validating resolver and found myself unable to get to the order.hbonow.com site.  Last night when reviewing the news about the Apple event presumably somewhere in there my DNS resolver pulled the DNS records for hbonow.com (perhaps due to web browser “pre-fetching”) and so the old records are in my DNS resolver’s cache.  When I go to a command-line and type “dig +dnssec ds hbonow.com”, I get back the following:

;; QUESTION SECTION:
;hbonow.com. IN DS
;; ANSWER SECTION:
hbonow.com. 10697 IN DS 51249 7 1 90DC90D0578FCFDDF6ED5DE0B35E9652CD2396A8
hbonow.com. 10697 IN RRSIG DS 8 2 86400 20150315045041 20150308044041 13787 com. NAY+BNRi4c6rzLOyoFN4OPOGbbUFuDu/kfO37m00pKkSwXxhAa0qkTTQ HIvzeaFPY54hdJlqH1EzdUEDuL2Nz2stv7iQmsakBaHf3fjHpe2L9H4C Q+wk8yc1vmHdcaUhJyuWYalLwJqg8GWmCXUzWAc6JAoZTPOzF4yZkshp unE=

If you notice the “51249” in the first line of the “ANSWER” section, that matches up with what was shown in the first DNSViz image above as the ID of the DNSKEY that is missing.

When I connect into a system on another and perform the same dig command, I get a different response:

;; QUESTION SECTION:
;hbonow.com. IN ANY

There was no answer section, which means there is no DS record.  If I were on that network I would be able to get to the order.hbonow.com site.

The Time-To-Live (TTL) Issue

If you look back at those responses from my network, you will see the “10697” in the answer section.  This is the number of seconds that the record will remain in the cache of my DNSSEC resolver.  In the time it has taken me to write this post, that number is now down to “5224”  – so about 87 minutes left until that record ages out and my system will stop blocking access to the site.

In Comcast’s case, Jason tweeted out that they flushed the caches on their DNS resolvers and so people should have been able to get to the site right after that.   In my case, I logged into the web admin menu for my home server/gateway and clicked the button to flush the cache… but that didn’t seem to work (and so I’m going to be raising a ticket with the software distribution).

For others out there, they still may be unable to get to order.hbonow.com until the TTL expires in the cache of their DNS resolvers.

Speculation On What Happened

Judging from all of this, here is my guess as to what happened.

1. At some point, HBO signed the domain with DNSSEC. The name server (NS) records indicated that the authoritative DNS servers for hbonow.com are at Dyn’s “DynECT” Managed DNS Service.  DynECT provides a way to very easily sign your domain. I use this service myself for several of my personal domains.  You check a couple of boxes and Dyn takes care of all the signing and re-signing for you.  It has worked well for me.

2. A DS Record was uploaded to the .COM TLD. To tie the domain into the “global chain-of-trust” of DNSSEC, a DS record had to be uploaded to the .COM registry.  This DS record provides a fingerprint (a hash) of the DNSKEY record used to sign the domain.   Unfortunately, right now the only way to transmit a DS record to the .COM registry is through the registrar where you registered the domain name.  I know from personal experience that this involves a manual copy-and-paste of the DS Record from Dyn’s web management interface into my registrar’s web management interface.

Next I think either one of two things happened:

3a. The DNSKEY was updated (rolled over) but the DS record at the .COM registry was NOT updated.  Within DNSSEC, a Key Signing Key (KSK) is set to expire at a certain date and time.  Services operated by DNS operators like Dyn will automagically generate new keys and re-sign the zone. In doing so, the DNS operator will also generate a new DS record.  However, there is no automated way for a DNS operator to get the new DS record to the TLD registry.  (This is something the industry is discussing right now!)

Given that I’m not finding any other DNSSEC-signed records in the cache of my local DNS resolver, I think the answer may more likely be…

3b. HBO decided to remove DNSSEC signing, but forgot to remove the DS record from the .COM registry.  Someone at HBO may have decided to remove the DNSSEC signing from the domain.  Perhaps the signing was just an experiment by someone on the IT team.  Or perhaps someone decided to remove the DNSSEC signatures in advance of the launch so that there was one less variable during the huge launch with Apple.

But… in removing the DNSSEC signatures they forgot to remove the DS record from the .COM registry.

Again, this goes to the manual nature of this process.  Someone could have very easily gone into Dyn’s web management interface and un-checked the box for DNSSEC signing.  Easy. Simple. Done.

But they would also have to login to the registrar’s web management interface and remove the DS record. This may have been the step that someone forgot.

The problem here is that:

  • IF a DS record EXISTS in a TLD;
  • AND the corresponding DNSKEY record does NOT exist in a domain;
  • THEN an attacker could be trying to substitute in an unsigned set of DNS records.

This is exactly the kind of “attack” that DNSSEC is designed to prevent!

Unfortunately, HBO seems to have “attacked themselves” by missing a step in the operations of DNSSEC.

What Next?

This failure last night really speaks to the hole we have in the DNSSEC signing process where there is no easy way for a DNS Operator who is NOT the registrar to update the TLD registry with the new records.  The failure here is because of the manual cut-and-paste process that must be currently used.    I wrote about this in a post:

which in turn pointed over to Olafur Gudmundsson’s post on CloudFlare’s blog:

If we look at the steps of DNSSEC signing today, they look like:

DNSSEC Signing Steps

The challenge we have is to somehow improve the communication between the DNS Operators and the Registries.

In the HBO NOW case, if you go back to my speculation, either of two things could have happened with better automation:

1. The DNS Operator could have updated the registry with a new DS record. If the issue was my “3a” above where there was a key rollover without an update to the DS record, the DNS Operator (Dyn in this case) could have updated the .COM registry with the new DS record.

2. The DNS Operator could have signaled the registry to remove the DS record. If the issue was my “3b” where HBO turned off DNSSEC signing, the DNS operator (Dyn) could have signaled the registry to remove the DS record.

We need to fix this!

We need to have better automation here so that these kind of manual issues do not cause failures in the DNSSEC validation process.

If you’d like to help, there is a public mailing list set up for anyone who is interested.  You can join the effort and subscribe at:

https://elists.isoc.org/mailman/listinfo/dnssec-auto-ds

This work will be ongoing for quite some time and will probably wind up in the DNSOP Working Group within the IETF.  It’s a critically important challenge we need to address to bring further automation to DNSSEC deployment and help many more people secure their domains.

Meanwhile, we’ll have to wait to perhaps get some more official news out of Comcast and or HBO… but this appears to be what happened last night.

Comments, suggestions, feedback or disagreements with my analysis are all welcome as comments!

And… if you want to get started with DNSSEC, please do visit our Start Here page to begin.


Other potential discussions of this post:

Middle East DNS Forum Covers DNSSEC – Let’s Fill In The Map!

Over in Amman, Jordon, today our Internet Society colleague Frédéric Donck gave a keynote address at the Middle East DNS Forum where I know he was planning to speak about DNSSEC and our interest in advancing the deployment so that together we can make the Internet more secure via a more secure DNS infrastructure. (His talk was also going to cover Internet governance and infrastructure development topics.)  The folks at the Middle East DNS Forum were kind enough to tweet out a photo of Frédéric in action:

Middle East DNS Forum

In preparation for his presentation at the meeting, I provided Frédéric with a snapshot of our weekly DNSSEC Deployment Maps for the Middle East region (the colors represent the 5 stages of DNSSEC deployment):

dnssec-middle-east-march2015

As you can see, there’s definitely room to have more of the country-code top-level domains (ccTLDs) signed in the region.  From what the database shows, I have this information:

  • Lebanon has signed .LB and the DS record is in the root of DNS.
  • Afghanistan has signed .AF and the DS record is in the root of DNS.
  • Turkey (.TR) is “Announced” because a representative of the registry contacted me with their plans ( and they publicly announced their plans at the ICANN Turkey DNS Forum in November 2014).
  • Israel is in the “Announced” state because a representative of the .IL registry contacted me with their plans.
  • Iraq (.IQ) and Iran (.IR) are in “Experimental” because activity was observed a few years back.

For Lebanon and Afghanistan, they could be in the “Operational” stage and be accepting DS records from domain registrants.  We just don’t know because we have no way to find out unless either: 1) someone from the registry tells us (and I haven’t yet tried to contact these ccTLDs to know); or 2) someone who has registered a domain in those ccTLDs lets us know.

Although the agenda of the Middle East DNS Forum is mostly not about technical topics, I do hope Frédéric’s discussion will ignite some interest and we can start seeing the Middle East region joining the rest of the world in providing a way to secure the integrity of DNS information within the ccTLDs.

In fact, if you are visiting our site as a result of that Forum, please do visit our Start Here page to find out how you can begin with DNSSEC – or please contact us so that we can help you find the appropriate resources.

Let’s fill in that map and get the whole region to be green!

P.S. If anyone has more information about the DNSSEC deployment status of ccTLDs in that region, please do let me know – I’d be glad to update the maps.

Main IETF Website Returns To Being DNSSEC Signed Via CloudFlare

Good news this week for DNSSEC and content-distribution-networks (CDNs)! Last year the Internet Engineering Task Force (IETF) decided to move the main IETF web site over to a CDN to speed up access to IETF web pages for people trying to reach them all over the world.   While this sped up access to the IETF’s content, it unfortunately meant that the main IETF website had to lose its DNSSEC signature because the CDN vendor, CloudFlare, did not yet support DNSSEC.  (I’d note that this was only the main IETF web site – other IETF web sites such as the datatracker and tools sites continued to be DNSSEC-signed.)

Those of us advocating for DNSSEC were naturally disappointed by this move last year, but we understood the need and also understood that CloudFlare was committed to bringing DNSSEC to their customers – and indeed we’ve been writing about CloudFlare’s journey towards DNSSEC.

So this week we were very pleased to see this announcement by IETF Chair Jari Arkko:

Some time ago we moved the static parts of the IETF web page to a CDN service. While this provided a significant improvements for page load times and retained our ability to serve the pages over IPv6, we were unable to provide DNSSEC for the web pages that were being served by the CDN.

Our CDN vendor, Cloudfare, however, has worked in the background to enable DNSSEC for their customers. They have now come back with a system that we have enabled for the IETF web pages. (Thank you Cloudfare, this was important!)

We plan to keep the new arrangement on at http://dnssec.ietf.org for a while before finally moving to this arrangement on http://www.ietf.org. Testing the new arrangement on dnssec.ietf.org would be appreciated!

Jari Arkko, IETF Chair

As noted, the main IETF website is NOT yet DNSSEC-signed at the regular “www.ietf.org” but is instead available with a DNSSEC signature at http://dnssec.ietf.org while everything is tested out.

Regardless, this is great news for DNSSEC, for the IETF … and also as a demonstration that CloudFlare’s implementation is obviously getting that much closer to being available!

Please do check out http://dnssec.ietf.org and give it any kind of DNSSEC-related tests that you can!

IETF web site

And if you haven’t gotten started with DNSSEC yet, please visit our Start Here page to find out how you can begin!

Ziff Davis Webinar Today: DNSSEC – Do You Need DNS Security Now?

Webinar about DNSSECVia Twitter today, I learned that technology journalist Sean Kerner will be speaking in a webinar about DNSSEC at 1:00pm US Eastern today (in about 65 minutes).  If you are interested, more information can be found at:

http://www.eseminarslive.com/c/a/security/GeoTrust-021715/

I’ll be honest and say I don’t know what precisely will be covered in this session but back in the earlier days of DNSSEC deployment (~2010) Sean wrote a number of pieces on the topic and I’ve generally appreciated the coverage he gives to security topics. The abstract sounds useful:

Ever since the Kaminksy DNS security disclosure back in 2008 DNSsec (DNS Security extensions) have been hailed as the key tool in the fight to secure domains. Despite this recognition, few have actually implemented it. What should you do? How does SSL complement or compete with DNSsec to provide security for your domain?

We’ll have to see what he says.

If you are interested in deploying DNSSEC – or simply learning more about it – I would encourage you to visit our Start Here page where you can find DNSSEC resources tailored to your role or type of organization.

If you want to understand the current state of DNSSEC deployment, you may want to view our DNSSEC Deployment Maps or check out some of the different DNSSEC statistics sites that are out there.

And if you want to learn more about how DNSSEC can work with SSL/TLS, please do visit our information about the DANE protocol.

Let’s get the word out there and get more DNSSEC and DANE deployed!

 

 

Free DNSSEC Webinar Today From BT Diamond IP At Noon US Eastern

BTIf you are interested in learning more about DNSSEC and DANE, you can join in to a free webinar today that BT Diamond IP is holding at 12 noon US Eastern (a bit over an hour from now).  You can sign up at:

http://btglobalevents.com/BTGlobalEvents/Index.aspx?inviteeCode=80690.184220.1308

It’s free of cost but in signing up you do provide your contact information to BT.  If you can’t view it live at noon today by signing up you will be able to view the recording and also download the slides.

Tim Rooney at BT Diamond IP asked me if I would participate and I’m glad to do so.  I’ll be giving an overview of DNS and DNSSEC, talking about DANE and giving an overview of the DNSSEC resources we have to offer here at Deploy360.  Tim will be doing a deeper dive into some of the security topics, discussing the DNSSEC Survey they recently completed and briefly touching on a couple of BT solutions in this space.  We’ll end with a question and answer period where people can ask us questions.

As with any webinar or event from a commercial vendor, we’re always a bit careful to note that we are not necessarily endorsing or promoting the products from that vendor.  BT Diamond IP is one of many vendors who provide products and solutions that help companies with DNSSEC (and also IPv6).  They happened to ask me to participate and I’m glad to do so to explain how DNSSEC works and how it and DANE can make the Internet more secure.  I’m also glad to participate in webinars for other vendors, too.

I like the set of slides that Tim and I have put together and I think this should be a very useful and educational session!  Please do join us if you are looking to learn more about DNSSEC and DANE!

P.S. And please visit our Start Here page to learn how you can begin with DNSSEC today!

Watch Live NOW – DNSSEC Workshop From ICANN52 In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region? What are DNSSEC and DANE all about, anyway? What challenges are large DNS operators encountering when deploying DNSSEC?

As I mentioned last week,  all these questions are being discussed TODAY (in fact right now) at the DNSSEC Workshop at ICANN 52 in Singapore.  You can watch and listen live at:

http://singapore52.icann.org/en/schedule/wed-dnssec

You can also download the slides that will be presented today.  As you look at the agenda, please note that all times are Singapore Time which is UTC+8. (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)   Here is a view from the room today:

ICANN DNSSEC Workshop

The sessions for today will be:

  1. Introduction and DNSSEC Deployment Around the World
  2. DNSSEC Deployment in the Asia Region
  3. 10th Anniversary of DNSSEC Workshops
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event. The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community. It should be a very interesting session. I also always enjoy the DNSSEC case studies from the regional panels.

If you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

Watch LIVE Today From ICANN52 – DNSSEC For Everybody: A Beginner’s Guide

ICANN 52 - SingaporeAs we mentioned last week, today (Monday, Feb 9) you will be able to watch live from ICANN 52 in Singapore the session:

DNSSEC For Everybody: A Beginner’s Guide

This session will be from 17:00 – 18:30 SGT where we’ll be explaining what DNSSEC is all about and also putting on our “skit” dramatizing what happens with DNS and DNSSEC. This session tends to be a good bit of fun and we’ve heard it has helped a good number of people understand the subject a bit more.  You can follow along remotely (or watch it later) at:

http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Please note that the times are Singapore Time which is UTC+8.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

ICANN Announces DNSSEC Root KSK Rollover Design Team

ICANN.jpgAfter soliciting statements of interest back in December, ICANN announced this week the people who had been selected for the DNSSEC Root Key Signing Key (KSK) Rollover Design Team. They are:

  • Joe Abley, Snake Hill Labs/DyN, CA
  • Jaap Akkerhuis, NLNetLabs, NL
  • John Dickinson, Sinodun Internet Technologies, UK
  • Geoff Huston, APNIC, AU
  • Ondrej Sury, CZ.NIC, CZ
  • Paul Wouters, No Hats/Red Hat, NL
  • Yoshiro Yoneya, JPRS, JP

We’ve written before about how important we believe the rollover of the Root KSK of DNSSEC is, and we are pleased to see this next step in the process.  All of the people selected have been extremely involved in the DNS / DNSSEC community for many years and have contributed in many ways to the ongoing deployment of DNSSEC.

We look forward to hearing the next steps taken by this team to move forward on rolling the Root KSK.  I suspect there will be some discussion at ICANN 52 next week in Singapore, but I also expect much more to happen after that event in the months ahead.

P.S. If you want to get started with DNSSEC, please visit our Start Here page to begin!

CloudFlare Wants To Update DNS Registration Model To Automate DNSSEC

CloudFlare logoOver on the CloudFlare blog today, Olafur Gudmundsson wrote a lengthy post titled “Updating the DNS Registration Model to Keep Pace with Today’s Internet” where he outlines a critical challenge that CloudFlare has run into on their path to implementing DNSSEC for their customers.

Essentially, the issue is this – on the signing side of DNSSEC, the process works like this:

  1. A “DNS Operator” may host your DNS records and sign them with DNSSEC keys.  As part of doing this, they will generate a “Delegation Signer” or “DS” record that must be provided to the parent zone (typically a top-level domain (TLD)) to complete the “global chain of trust”.
  2. The DNS Operator has to communicate this DS record to the Registrar for the domain.
  3. The Registrar then provides this DS record to the Registry that operates the TLD.

This needs to be done initially when the domain is first signed with DNSSEC – and then the process needs to be performed every time the Key Signing Key (KSK) for the domain is rolled over.  Typically this might be done once each year but could be done more or less frequently.  The key point is that every time there is a key rollover, the new DS record must be communicated up to the TLD.

Here’s one way that I show the process graphically:

DNSSEC Signing Steps

Notice the role of the Registrar here. They are in the middle of the process.

And THAT is CloudFlare’s problem.  They say they are hosting 2 million domains for customers.  In order for CloudFlare to automate DNSSEC signing to be as simple as a clicking/tapping a button in their user interface (as they have done for IPv6), they need to be able to interact easily with the registries for all those domains – and in the current system that means interacting with all the registrars!  Making it more challenging, some registrars have a clue about DNSSEC – and many others still don’t.

It’s a challenging issue.  As Olafur notes, there are now DNS records such as CDS and CDNSKEY, defined in RFC 7344, that can help with this, but they will require registrars to do some work to look for those records. But there are larger issues here that get into business processes, too.  For instance, many registrars are also DNS operators who will gladly host your DNS records for you for a fee – they have very little incentive to help make it easy for other DNS operators to host your domain.   There are a number of other issues.

Olafur began talking about this back at IETF 91 in Hawaii and this will be a big panel discussion at next week’s DNSSEC Workshop at ICANN 52 in Singapore (which will be streamed live and also recorded).

There is also a public mailing list set up for anyone who is interested in helping work on this issue.  You can join the effort and subscribe at:

https://elists.isoc.org/mailman/listinfo/dnssec-auto-ds

This work will be ongoing for quite some time and probably wind up in the DNSOP Working Group within the IETF.  It’s a critically important challenge we need to address to bring further automation to DNSSEC deployment and help many more people secure their domains.

Your feedback on all of this is definitely welcome!  Please do leave a comment here… or on Olafur’s blog post… or on social media… or contact Olafur directly.

And… if you want to get started with DNSSEC, please do visit our Start Here page to begin!

Many DNSSEC and DANE Activities At ICANN52 Next Week In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region?  What are DNSSEC and DANE  all about, anyway?  What challenges are large DNS operators encountering when deploying DNSSEC?   All of these questions and many more will be discussed next week at ICANN 52 in Singapore.  Here is the quick guide – please note that all times are Singapore Time which is UTC+8.  (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)


DNSSEC For Everybody: A Beginner’s Guide

The week starts off on Monday, 9 February, 2015, with the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 17:00 – 18:30 SGT where we’ll be explaining what DNSSEC is all about and also putting on our “skit” dramatizing what happens with DNS and DNSSEC.  I don’t know if we’ll be awarded an Emmy anytime soon for our performance… but we have a good bit of fun with it and people have commented that it has really helped them understand how DNS and DNSSEC work.

You can follow along remotely (or watch it later) at:

http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Oh, and you get to see me talk about DNSSEC and blue smoke…


DNSSEC Implementers Gathering

As we noted previously, on Monday evening from 19:30-21:30 some number of us will be heading to a nearby pub for the “DNSSEC Implementers Gathering” where we’ll be talking informally amongst ourselves and figuring out how we can work together to accelerate DNSSEC and DANE adoption.  For perhaps obvious reasons, there is no remote participation available, but if you are in Singapore you are welcome to join us – we just ask for your RSVP by the end of the day tomorrow, Thursday, February 6, 2015.  Thanks to Comcast, NBC Universal and the MPAA for making this gathering possible, as they also did at ICANN 51 in L.A.


DNSSEC Workshop

The BIG event for the week is of course the DNSSEC Workshop on Wednesday, 11 February 2015, starting at 8:30 and ending at 14:45 SGT.  It will be streamed live and you can join in at this address:

http://singapore52.icann.org/en/schedule/wed-dnssec

The slides and other information will be up soon, but I can tell you the agenda will be this:

  1. Introduction and DNSSEC Deployment Around the World
  2. 10th Anniversary of DNSSEC Workshops
  3. DNSSEC Deployment in the Asia Region
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event.  The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community.  It should be a very interesting session.   I also always enjoy the DNSSEC case studies from the regional panels.


There will be a number of other side meetings and other discussions going on, but these are the main sessions.  I also understand there will be some DNSSEC activity happening at Tech Day on Monday, 9 February, but the agenda has not yet been posted.  We’ll publish an update once we know more.

If you are at ICANN 52 in Singapore please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.  You can also follow along with our ICANN 52 blog posts as we publish them next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?